Thursday, February 17, 2011

General threat Information

The spear phishing method used in this attack is far from being new or sophisticated. However, I am posting the following information due to the particularly invasive approach of the attack. Google, Yahoo, and other personal mail services do not offer the same protection against spoofing and malware as enterprise accounts. In addition, it is often being checked at home in a relaxed atmosphere, which helps to catch the victim off guard, especially if it appears to arrive from a frequent contact. Some people have a habit of forwarding messages from enterprise accounts to their personal mail for saving or easy reading at home, which may potentially offer some sensitive information.

Domain: google-mail.dyndns.org in this example but there are many others in use

Type: View Downloadlink in Gmail masquerading as a link to view or download an attachment. The message comes without any attachments.

Distribution: Email link, targeted phishing message sent to Gmail account of a person associated with military or political affairs. Links are customized and individualized for each target.

Target recipients:Government and non government employees working on questions of defense, political affairs, national security, defense/military personnel, etc

Attack approach:Victims get a message from an address of a close associate or a collaborating organization/agency, which is spoofed. The message is crafted to appear like it has an attachment with links like ViewDownload and a name of the supposed attachment. The link leads to a fake Gmail login page for harvesting credentials.

Once the attackers gets the credentials, they login to the victims gmail account and may do the following

Create rules to forward all incoming mail to another account. The third party account ID is made to closely resemble the victims ID

Read mail and gather information about the closest associates and family/friends, especially about frequent correspondents.

Use the harvested information for making future mailings more plausible. Some messages are empty while others may have references to family members and friends (e.g. mention names of spouses or refer to recent meetings) and plausible enough to generate responses or conversations from victims. We are not posting those examples due to personal nature.

Send such emails on monthly or biweekly basis . The messages are different like you see below but all have have the same link and designed for updating the victim credential information they already have.

Download

Post Updates

Update June 5, 2011There here has been a lot of speculation over the past few days on how much sensitive data a
hacker can find on personal email accounts, considering it is against
the rules in most places to use personal accounts for work Although
there are strict rules for classified messages and documents, the
intruders are often satisfied with just sensitive or just informational
messages for building the picture they need. While I don't know how
strict the rules are at the White House, the following behavior is
common for at least some US Government offices and for many companies.
This information is from my own knowledge, as well as accounts of people
working for the US Government, military, as well as Fortune 500
companies, non-government research institutions, and other places.

click to enlarge

I am sure you will find none of these scenarios surprising, they all are very common.

Original Messages

Fw:Draft US-China Joint Statement is from dorsetttr1@state.gov, which is a non-existent account and spoofed domain. Others that are edited are real but spoofed.

The phishing link information

The link in email messages is always the same like below and redirects the victim to a fake Gmail login page, the credentials get harvested before the victim gets redirected to his mailbox.LINKhxxp://google-mail.dyndns.org/accounts/ServiceLoginservice=mail&passive=true&rm=false&continue=bsv=1grm8snv3&ss=1&scc=1&ltmpl=default&ltmplcache=2/ServiceLoginAuth.php?u=VictimGmailID

Analysis

LoginServiceAuthen.htm (note that Gmail real page is usually named LoginServiceAuth.htm)

Submission of credentials in clear text on the fake login page and redirect to Gmail.
Checks for the password length and it if is less than 6 characters, displays 'Enter your password' pop up, otherwise accepts ANY password and redirects the victim further to Google.

Checking for installed software (type of antivirus, browser, flash, and cookie config) remotely, this part of the script is borrowed from the Chinese-made so called xKungfoo script- can be found in many places on internet

This gives too much emphasis on insignificant visual clues that the attacker can easily resolve. Unless your trying to embarrass the attackers with their shoddy work.

An attacker could easily create a perfect and upto date visual clone with correct page name and links. The only significant information here for end users is that the domain name is wrong and ssl is not used and they could even of done a better job of that. Perhaps using a phishing address such as goog1e.com and enabling ssl.

The best advice for high profile targets, is to understand howto verify the site certificate is the correct one for google. The browsers could do more here.

I'm also very found of the two stage authentication mechanism from Google, that makes this type of attacker very difficult.

This gives too much emphasis on insignificant visual clues that the attacker can easily resolve. Unless your trying to embarrass the attackers with their shoddy work.

An attacker could easily create a perfect and upto date visual clone with correct page name and links. The only significant information here for end users is that the domain name is wrong and ssl is not used and they could even of done a better job of that. Perhaps using a phishing address such as goog1e.com and enabling ssl.

The best advice for high profile targets, is to understand howto verify the site certificate is the correct one for google. The browsers could do more here.

I'm also very found of the two stage authentication mechanism from Google, that makes this type of attacker very difficult.

- Matt [ Not available for designing scams :-) ]

-- The visial clues are not advice and things to watch for the future but explanation for the past event. I am sure the next one will be better done and perhaps very different.

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.